Fortinet white logo
Fortinet white logo

Administration Guide

VM license

VM license

The FortiGate VM License page is accessible from the Dashboard > Status page in the Virtual Machine widget. Click the device license and select FortiGate VM License.

The FortiGate VM License page displays the following information:

Field

Description

License status

One of the following statuses is displayed:

  • Valid: the VM can connect and validate the license against a FortiManager or FortiGuard server. All features are available.
  • Warning: the VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is less than 30 days, the status does not change.
  • Invalid: the VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is 30 days or more, the status changes to invalid. GUI access is restricted until a valid license is uploaded. Firewall policies will not work. FortiGuard downloads are not available.
  • Pending: a temporary state where the VM is attempting to validate its license.

Reasons for having a warning or invalid status include:

  • The network environment does not allow FortiGate-VM to connect to the FortiGuard server.
  • The license might be expired. Check the expiration date for evaluation or term-based licenses.
  • Another VM has been already validated with FortiGuard using the same license. See VM license activation for details about duplicated VM instances.

Allocated vCPUs

Number of allocated and total allowable vCPUs

Allocated RAM

Amount of allocated RAM (in FortiOS 6.2.2 and later, there are no RAM restrictions)

Expires on

Expiry date (value depends on the type of license)

This information is visible in the CLI by running get system status (see CLI troubleshooting).

Uploading a license file

After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.

Once the VM is registered, you can download the license file in .LIC format. On the FortiGate VM License page, click Upload. The system will prompt you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.

The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.

In cases where the GUI is not accessible, you can upload the license using secure copy (SCP).

Tooltip

For information about injecting Flex-VM license tokens, see Injecting tokens into FortiGate-VM in the Flex VM Deployment Guide.

To upload the license using SCP:
  1. Enable SCP:
    config system global
        set admin-scp enable
    end
  2. Enable SSH in the administrative access for the interface where the transfer will take place:
    config system interface
        edit <interface>
            append allowaccess ssh
        next
    end
  3. On your computer, upload the VM license. This example is for Linux:
    scp <filename> <admin-user>@<FortiGate_IP>:vmlicense

Types of VM licenses

FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).

The Flex-VM program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis. For information, see the Flex-VM Program Guide in the Fortinet document library.

Feature

Normal series

V-series

S-series

Flex-VM

Licensing and support

The VM base is perpetual.

You must separately contract support services on an annual basis.

See the price list for details.

Single annually contracted SKU that contains a VM base and a FortiCare service bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

An annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

vCPU number upgrade during contracted term

Not supported.

Supported. You can also upgrade the support service bundle.

Contact a Fortinet sales representative to upgrade.

Supported. You can apply different VM entitlement configurations in the Flex-VM portal. API is not supported at this time.

vCPU number downgrade during contracted term

Not supported.

VDOM support

By default, each CPU level supports up to a certain number of VDOMs.

Refer to the FortiGate-VM data sheet for default limits.

By default, all CPU levels do not support adding VDOMs.

CLI troubleshooting

In some cases, more information can be viewed from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.

Before you begin, ensure your FortiGate has the proper routes to connect to the internet.

To view the license status, expiration date, and VM resources:
# get system status
Version: FortiGate-VM64-KVM v6.4.2,build1723,200730 (GA)
...
Serial-Number: FGVM08**********
....
License Status: Valid
License Expiration Date: 2020-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2020
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full
UUID:     abbe****************************
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4604955037
warning:  4600905081
recv:     202009152207
dup:

This combination indicates the license is valid and functioning normally:

valid: 1
status: 1
code: 200

This combination indicates the license is valid but may be running a duplicate instance:

valid: 1
status: 4
code: 401

This combination indicates the system cannot connect to FortiGuard:

valid:    0
status:   2
code:     502

This combination indicates the license is invalid:

valid: 0
status: 3
code: 400

Contact Fortinet Support for assistance if your licensing issue persists.

VM license

VM license

The FortiGate VM License page is accessible from the Dashboard > Status page in the Virtual Machine widget. Click the device license and select FortiGate VM License.

The FortiGate VM License page displays the following information:

Field

Description

License status

One of the following statuses is displayed:

  • Valid: the VM can connect and validate the license against a FortiManager or FortiGuard server. All features are available.
  • Warning: the VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is less than 30 days, the status does not change.
  • Invalid: the VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is 30 days or more, the status changes to invalid. GUI access is restricted until a valid license is uploaded. Firewall policies will not work. FortiGuard downloads are not available.
  • Pending: a temporary state where the VM is attempting to validate its license.

Reasons for having a warning or invalid status include:

  • The network environment does not allow FortiGate-VM to connect to the FortiGuard server.
  • The license might be expired. Check the expiration date for evaluation or term-based licenses.
  • Another VM has been already validated with FortiGuard using the same license. See VM license activation for details about duplicated VM instances.

Allocated vCPUs

Number of allocated and total allowable vCPUs

Allocated RAM

Amount of allocated RAM (in FortiOS 6.2.2 and later, there are no RAM restrictions)

Expires on

Expiry date (value depends on the type of license)

This information is visible in the CLI by running get system status (see CLI troubleshooting).

Uploading a license file

After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.

Once the VM is registered, you can download the license file in .LIC format. On the FortiGate VM License page, click Upload. The system will prompt you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.

The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.

In cases where the GUI is not accessible, you can upload the license using secure copy (SCP).

Tooltip

For information about injecting Flex-VM license tokens, see Injecting tokens into FortiGate-VM in the Flex VM Deployment Guide.

To upload the license using SCP:
  1. Enable SCP:
    config system global
        set admin-scp enable
    end
  2. Enable SSH in the administrative access for the interface where the transfer will take place:
    config system interface
        edit <interface>
            append allowaccess ssh
        next
    end
  3. On your computer, upload the VM license. This example is for Linux:
    scp <filename> <admin-user>@<FortiGate_IP>:vmlicense

Types of VM licenses

FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).

The Flex-VM program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis. For information, see the Flex-VM Program Guide in the Fortinet document library.

Feature

Normal series

V-series

S-series

Flex-VM

Licensing and support

The VM base is perpetual.

You must separately contract support services on an annual basis.

See the price list for details.

Single annually contracted SKU that contains a VM base and a FortiCare service bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

An annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

vCPU number upgrade during contracted term

Not supported.

Supported. You can also upgrade the support service bundle.

Contact a Fortinet sales representative to upgrade.

Supported. You can apply different VM entitlement configurations in the Flex-VM portal. API is not supported at this time.

vCPU number downgrade during contracted term

Not supported.

VDOM support

By default, each CPU level supports up to a certain number of VDOMs.

Refer to the FortiGate-VM data sheet for default limits.

By default, all CPU levels do not support adding VDOMs.

CLI troubleshooting

In some cases, more information can be viewed from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.

Before you begin, ensure your FortiGate has the proper routes to connect to the internet.

To view the license status, expiration date, and VM resources:
# get system status
Version: FortiGate-VM64-KVM v6.4.2,build1723,200730 (GA)
...
Serial-Number: FGVM08**********
....
License Status: Valid
License Expiration Date: 2020-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2020
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full
UUID:     abbe****************************
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4604955037
warning:  4600905081
recv:     202009152207
dup:

This combination indicates the license is valid and functioning normally:

valid: 1
status: 1
code: 200

This combination indicates the license is valid but may be running a duplicate instance:

valid: 1
status: 4
code: 401

This combination indicates the system cannot connect to FortiGuard:

valid:    0
status:   2
code:     502

This combination indicates the license is invalid:

valid: 0
status: 3
code: 400

Contact Fortinet Support for assistance if your licensing issue persists.